Analysis

  • max time kernel
    141s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/02/2025, 22:49

General

  • Target

    6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe

  • Size

    343KB

  • MD5

    77fd5c6a7ed616d1146a055a9aa58720

  • SHA1

    cafacc26a98e13c768eeea3bba37973db58453c3

  • SHA256

    6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a

  • SHA512

    65fa1be05fc3df2caab383fb82af5b619ee1caedab09689878f596596ebf2972ec450fc24ae9e4c27f1639cbcac26c4b7898fa8c95ae27d4fbddb5df228f112f

  • SSDEEP

    6144:XYLtU7Ixhnhz5TN6mJWd/7qMD8gmggfojeGbfUTpYDDmu/+3fbN:osI3lFZWdqswtfJG+pG/YN

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

159.146.115.189:3131

Mutex

DC_MUTEX-6VU05UR

Attributes
  • gencode

    FbWUotbhX9sQ

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

rc4.plain

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Darkcomet family
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe
    "C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5a.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe
      C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2656
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2656 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2800
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2736
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2736 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    22ae47e0e7ed61c748214695e3bba74b

    SHA1

    f18dd47ecd98cf4f8a2043588a5417ead69d03da

    SHA256

    e2bfc981ad79debdac128218c7d9d3593dcf4b0890df79258039150a00d8980e

    SHA512

    4a2dc815ccfd2f104cb64a6f4b996fd3e2e8f61de382b119a45d91c384d41c2b4b27820a005c7942da46527431ba712efb2d11654d2b7084c3c709260d05305c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    96a2ba01c79885a66fccdba3df5f0ca8

    SHA1

    844735c5c58bf553bde805d7fdb2965bf4bbdaf8

    SHA256

    da7fc1a145be50965d67c91c9cf5000affecd7394fd25dc2bb21628cc0158cfc

    SHA512

    68fdf51eb0a7034b8704fe122746b43ab7a1fd4dfbca0fc1d8ccf952f1393f5aded5e4f3c87e43c80bf398d4fe008d4761d9517548028cc59c908645422cfbeb

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    a82bdbe00b34081f9a5f53c5ec21b8d6

    SHA1

    09b11decd8c9dc9f1b663ccf063dbf70013eab79

    SHA256

    40f58b20ab50db92d50ba6ff1c343833b315e41fa350bccc05798cb5c996432f

    SHA512

    332df4c6ffb79eb36871a6b21107ad89108cfeb90e2babc41dc21c1a219b654c26365a547b5506e21a57bda85f7e313ecead36ef2847781c5d59e75d7da6e104

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    d815ab791629e6c9be4465b638ab24b5

    SHA1

    7d2df356626b5aeaff5425d6164ea8c77e32aeba

    SHA256

    41cab807b4330f058a0e2dec359e41c8cf45eab64cd5b5a046e94cac8ef15c07

    SHA512

    672eaa3ec54aed05ab164e22bac7031b8d7c0c77d5aa7c6b1e9c84647d1057d3145abc7c6c9504db544e546e26c14cfc43045f2ee25d4e61ee5583b306ddb8b1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    5adee6e8f33b49493caed41893582d7b

    SHA1

    1bda57c9f397588b284f2e6f7c7ba1f9d1ce7d7e

    SHA256

    dc1b50709705ba3a39d9e3cfd15745b4e9ce478b385c7da27073b9492e0fc36a

    SHA512

    a21b075353cac4727d3b4bbcae1c2f190cef396cd423e496761ec4c62a02eb2cf9554176b016e0e7973f845f253807e8ba2117fb896ba2f7d00d76ec1aef95a9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    630ed05d084c6eba62305fa3cb8fee94

    SHA1

    3a4865a544183671eaf631e27063fbdfd73da714

    SHA256

    5c1571fc7e4828de5834fb2344f2d6371dae0a0090580b669dac6696b3145639

    SHA512

    9ef54a866bd2d92dc2de159eefabc5a01e35828de348a4c75a25c7db14db0e717a59b48376560c504114750aece8c944cb7dbca41e9a6ed15eddd34987f173fd

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    b9285a530a60601f9dfd338efa80225c

    SHA1

    88f93d13f046a10b069e44b7557fa9c686ca086a

    SHA256

    38d0a93b53a3493e9c0ffb158cf2ba48fe52a2ca21612591ae470a2104c336cc

    SHA512

    40bb8bf4290fe7ed513b1d8f1fb96d9caf3280303592c174bf6b7ef21f93accaf323093529586d463214a42dc14686deb9f5b1a39283a812910ab6aa0dfd47bb

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    bcfcd83fd35e5801b5ad7c17726223f1

    SHA1

    956ea4e2f4e0484d2dedc86ecc9f1bb1872366fc

    SHA256

    96ceac208c80e5ff10da32ce6b328fa7775b0aa73ebab01967a50dd4a94aedc3

    SHA512

    0bfef4e3c049cec7aeef8539b80a7522d7c5ed905ce34ce206118c5e6af93722debaf5c443326e428712305237f38aa52f5e6a95a0733c0786bbe5481fb6f579

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    fc0405d918cb4293fde546e986faae8b

    SHA1

    564896a2058967ac0bd32b32d8e8712aa989bcad

    SHA256

    c871888a63f7415116c825d6e12dea87fa4fdac656868750b6bee0b6ddacb98b

    SHA512

    03276afeb76788acadf88ea2e2e6a44fb9ac05b788a9434df1124e91db2185efacc1aa4e54a75f0bee0643d408f6403995259579f1a39d0603e6b77c4693102b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    608ecb681a0874f6bcb7809828d77344

    SHA1

    8810f0702d40c5a1065aa938458edbf8194b7800

    SHA256

    d7b8f77845f2ae0ddd58220f1596331645234f4e2f4a2d794c2c651f693315d1

    SHA512

    47a5e36c40248e44e3939348de3dcf5d7750d6c0b43c8de06e79e9e05bb2b7d633e012d843a3311ca5f9ccd9b7a5cab15c80d613991f843db17b8c30a5093097

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    047e2ee84a27b656df8a8ff73c355b23

    SHA1

    fa792ccc826d35f08b99569d6d451c46e81ea88a

    SHA256

    5e0d741a568db1e8672abb3a14773786b1ce5cd8f90cda6eee8ca89fe44ce656

    SHA512

    5ba76777422d96eab1732c38c4ff851af72a1e61d05b0513daebeebb954cadebcaee311073cd2ed31932449d67eace525b4d663fd6acc36f8d6c6453d3de8f08

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    1618a0ecfbb1538fe6471989fe06586f

    SHA1

    495afe13f851c0d1a09b9db2b2464459d9c42fef

    SHA256

    babf6f5bb178ac797f11a5d720bcfc3196be0cdf0ece7e16214f6b533b7f091c

    SHA512

    7d547cf0fbd647617b994a95cae1f0807083283160fa2445940ebdea080010e4b6bbd82f48aa0051fd07223313008cb621e05af541aeb692058a27aa5d6e1a11

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    49599cfa59e94999609fb4c520fe04a7

    SHA1

    cf1e294fdd7cc4db93091752c856f1571dc4763b

    SHA256

    f8b23afb63dc629a88e810acb6c889d67ba4dadb1bab21c2781d368a63fe383d

    SHA512

    d83f4193ec86eb837700da8b7d0df07b0cbea4cc251401ce627a9bfeff0f96b7b166bce6695f7fb2e392c611a7873d05bec14fe8a7e76cee420389ad06239c99

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    f499246395026f00c0d39d4287736d96

    SHA1

    c934a2bdeb75fcc31fd68a135339f8a60543f2d5

    SHA256

    d5728d137e92fbbb6529267106e8793f95e73feb80d30331b64c69ab5198adaf

    SHA512

    3bce98e73d5f7a920afcc92a0b4e2d2251b3b92a3715cd60dabc6768667dd99b1326e8ecf23f4acd8f0c3c5c4389f4337d1cc8035ce0a276dc6479fde779171f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    a86bc8a7804d75a814da31d447b311a7

    SHA1

    21a85540521fb743490033407ee013ec9183f2ca

    SHA256

    77b17c77fe3a8b3387af68f80217d5003b06b7d735f2d2802f0ce51c197ace36

    SHA512

    d2ef4f97b67127b184bea665acf8267749c3558cdaba4759d17b67d7577358ce386c0d5a3942ea0d4ec1c544b93de0ad5edfdd5d0abf133ed98f770a7a40b292

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    f5841e059b6a471e865ebdf496bd656c

    SHA1

    f192e351baa5c7a7e45b37b4e1e20b92b7b58aa6

    SHA256

    73233981cedeb7eb089f65ad1a2a9139916cc5febb478711745f79c3f7189f87

    SHA512

    b3cf60ae7d7f8e557498a7a5d6c471c8933ef632693f1ad281427ad1b05fecbdbb9bb6b026bbbec5ea9e2bf8a32e8aa394d82492cc9b93b4362757e1c0ee4623

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    7941b68d6d9aca3eec535401e932b8f8

    SHA1

    971df1b3560013cc70c583025e065a28d5b5dd08

    SHA256

    e3e00cd75609be90abd41ec8b9f44a19320fa3344dd6656712d26dc0c89ca331

    SHA512

    bb28bada3712a5373cb7e728a38b42c625cccf46816b178e8ad3f73b32bd9b8718a157b54a1b602a323aae486f8a2d878fdd2564ae7f70a042d8f183378057df

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    3c96434bce3bb13b3ca289138ede1768

    SHA1

    01399ef80e53ba23fb718a7c39ac149806fe556c

    SHA256

    61d8bf33dc1866ca22c9d672d9faa2cea1be84264f131882f8a0ef37850f3eef

    SHA512

    f6a59742f3360ea36a7ef05fa6869db5dbf7b958b6375705a5ca054e3afe2f0071b0c3d8a8f7169232b2e959c8cd388edbc2290b20732002111ba411ca69ff19

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    512874db2896338c9e270e23a8b6b97f

    SHA1

    24e5bfce1f2f91cf7e39768bb38278adf02e3071

    SHA256

    4bc8487dd517210e658df2767bd5222af8c637374beb1dbe439b4603f63aaf03

    SHA512

    a0dac5722b37941a702bfbf42910f2264b998c10e7af6906e102f046c0a5b61e6b72f3942ab72d6b9276e47b66947ceefd68db89b3059ce027df6562e7017fbf

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2CEE8701-F55D-11EF-A17D-4A174794FC88}.dat

    Filesize

    3KB

    MD5

    c19e57e8eec687b1b628a6c97eda6182

    SHA1

    e1cb3fc02ab3b9a9a03500e6e615ffbb47dc2469

    SHA256

    a685d2416082c4fd11abf085c23e86e4ab05abd3b72b29ad57e718c41bd93495

    SHA512

    f1de40f666d888a19f12ba40cc0462ea7f7f45efe8a247a028df01deeeef1b18c185d59e58cf671479e2cfec1f4c92fbc8994302829a07ad4c5d56f8db0aee2c

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2CF0E861-F55D-11EF-A17D-4A174794FC88}.dat

    Filesize

    5KB

    MD5

    28ec94b93e15858b3dcedf1f59467dde

    SHA1

    f396fe161f011c928e1693e0d9ba23feeacef4b6

    SHA256

    a06b126c4c5ae68af827a131a777e2b460847bce16661da3a549d8780d088f97

    SHA512

    3e8bd02ab4b63bf9d9ee08d64a039ebee196ce6c25985a957a6b9f518ec0551a7200e1d3a991aba1c48e5107f0250dd1ce212e8921b6c74c2f1e52da379e7082

  • C:\Users\Admin\AppData\Local\Temp\6514c07cc8c4c8eec0497429b2740aaa63472c91916956c08612f2ed0b11af5amgr.exe

    Filesize

    105KB

    MD5

    d5ca6e1f080abc64bbb11e098acbeabb

    SHA1

    1849634bf5a65e1baddddd4452c99dfa003e2647

    SHA256

    30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

    SHA512

    aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

  • C:\Users\Admin\AppData\Local\Temp\Cab2DF5.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Cab2E86.tmp

    Filesize

    71KB

    MD5

    83142242e97b8953c386f988aa694e4a

    SHA1

    833ed12fc15b356136dcdd27c61a50f59c5c7d50

    SHA256

    d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

    SHA512

    bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

  • C:\Users\Admin\AppData\Local\Temp\Tar2E8A.tmp

    Filesize

    183KB

    MD5

    109cab5505f5e065b63d01361467a83b

    SHA1

    4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

    SHA256

    ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

    SHA512

    753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

  • memory/2672-18-0x0000000000400000-0x00000000004D0000-memory.dmp

    Filesize

    832KB

  • memory/2672-10-0x0000000000540000-0x000000000059D000-memory.dmp

    Filesize

    372KB

  • memory/2672-466-0x0000000000400000-0x00000000004D0000-memory.dmp

    Filesize

    832KB

  • memory/2672-497-0x0000000000540000-0x000000000059D000-memory.dmp

    Filesize

    372KB

  • memory/2672-498-0x0000000000400000-0x00000000004D0000-memory.dmp

    Filesize

    832KB

  • memory/2672-499-0x0000000000400000-0x00000000004D0000-memory.dmp

    Filesize

    832KB

  • memory/2672-501-0x0000000000400000-0x00000000004D0000-memory.dmp

    Filesize

    832KB

  • memory/2672-11-0x0000000000540000-0x000000000059D000-memory.dmp

    Filesize

    372KB

  • memory/2672-0-0x0000000000400000-0x00000000004D0000-memory.dmp

    Filesize

    832KB

  • memory/2756-16-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/2756-17-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/2756-21-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/2756-9-0x00000000001F0000-0x00000000001F1000-memory.dmp

    Filesize

    4KB

  • memory/2756-12-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/2756-13-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

  • memory/2756-14-0x00000000002C0000-0x00000000002C1000-memory.dmp

    Filesize

    4KB

  • memory/2756-15-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB